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DETAILED ACTION 

1 . In response to amendment filed on 20 December 2007 and Examiner Initiated Interview 
on 4 January 2008. Claims 1,2, 4,8,9, 11, 12, 14, 18, 19,21,23,24,26-28,31,33,34,36-38, 
41-47, 49, and 56, are amended. Claims 22, 32, and 42 are canceled. Claims 52-57 are new. 
Amendments to the claims are accepted. 

2. An examiner's amendment to the record is attached. Please enter entire claim set. Should 
the changes and/or additions be unacceptable to applicant, an amendment may be filed as 
provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. The examiner's amendment was authorized 
by attorney of record Paul P. Kriz in a phone interview on 4 January 2008 which was confirmed 
by an email. 

Response to Arguments 

3. Applicant's arguments filed 20 December 2007 have been fully considered and they are 
persuasive. 

Allowable Subject Matter 

4. Claims 1-21, 23-31, 33-41, and 43-57 are allowed. 

Conclusion 

5. Any comments considered necessary by applicant must be submitted no later than the 
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue 
fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for 
Allowance". 
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6. Any inquiry concerning this communication or earlier communications from the 

examiner should be directed to Ellen C Tran whose telephone number is 

(571) 272-3842. The examiner can normally be reached from 7:30 am to 4:00 pm. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Kambiz Zand can be reached on (571) 272-381 1 . The fax phone number for the organization 
where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Ellen. Tran 
Patent Examiner 
Technology Center 2134 
5 January 2008 
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Examiner's Amendment 

This listing of the claims will replace all prior versions and listings of the claims in the 
application: 

Listing of Claims : 

1. (Previously Presented) In a first node of a physical network supporting multiple 
virtual network connections, a method to dynamically modify configuration data 
supporting virtual networks, the method comprising: 

receiving i) destination network address information associated with at 
least one host computer, and ii) a corresponding gateway identifier of a gateway 
in the physical network, the gateway being an ingress edge node of the physical 
network through which the at least one host computer communicates; 

generating a notification message including the destination network 
address information and the corresponding gateway identifier; and 

transmitting the notification message to a second node of the physical 
network enabling the second node to create a mapping between the at least one 
host computer and a virtual network connection between the second node and 
the first node on which to forward data messages from the second node through 
the gateway to the at least one host computer based on identifying, as specified 
by the mapping, that the data messages having the destination network address 
information are to be mapped to and sent over the virtual network connection to 
the at least one host computer through the gateway as specified by the 
corresponding gateway identifier. 

2. (Previously Presented) A method as in claim 1, wherein generating a notification 
message further comprises: 

generating at least a portion of the notification message in accordance 
with a distribution protocol utilized by service providers to disseminate routing 
policy information to customer edge nodes; and 
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wherein transmitting a notification message includes: 
transmitting the destination network address information and the 
corresponding gateway identifier as an appendix to the notification message. 

3. (Original) A method as in claim 2, wherein the distribution protocol is based at 
least in part on an interautonomous system routing protocol and the virtual 
network connection between the second node and the first node is a virtual 
private network connection overlaid on the physical network, one end of the 
virtual private network connection terminating at the gateway identified by the 
corresponding gateway identifier. 

4. (Previously Presented) A method as in claim 1 further comprising: 

transmitting routing policy attribute information in addition to the 
destination network address information and corresponding gateway identifier to 
the second node to more particularly define a policy for routing the data 
messages on a corresponding virtual network connection through the gateway to 
the at least one host computer. 

♦ 

5. (Original) A method as in claim 1, wherein the first and the second nodes are 
part of a network that does not inherently support encryption services and 
configuration data at the second node at least partially supports encryption of 
data messages forwarded to the at least one host computer through the gateway 
identified by the corresponding gateway identifier. 

6. (Original) A method as in claim 1, wherein transmitting the network address and 
identifier includes: 

delivering the notification message including the network address and 
corresponding gateway identifier to multiple customer edge nodes of the physical 
network, each customer edge node updating its corresponding configuration data 
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for establishing private networks between the customer edge nodes based on the 
network address and corresponding gateway identifier. 

7. (Original) A method as in claim 1 , wherein the first and second nodes are 
customer edge nodes in a network and the network supports virtual private 
networks terminating at the customer edge nodes. 

8. (Previously Presented) A method as in claim 1 , wherein the destination network 
address information identifies a single host computer. 

9. (Previously Presented) A method as in claim 1 , wherein the destination network 
address information identifies a range of host computers that are part of a 
network coupled to the first node. 

10. (Original) A method as in claim 1, wherein the corresponding gateway identifier 
is an IPsec identity associated with the at least one host computer. 

1 1 . (Previously Presented) A computer system at a first node of a physical network 
that at least partially supports a virtual network connection, the computer system 
comprising: 

a processor; 

a memory unit that stores instructions associated with an application 
executed by the processor; 

a communication interface that supports communication with other nodes 
of the physical network; and 

an interconnect coupling the processor, the memory unit, and the 
communication interface, enabling the computer system to execute the 
application and perform operations of: 



* 
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receiving i) destination network address information associated with 
at least one host computer, and ii) a corresponding gateway identifier of a 
gateway in the physical network; 

generating a notification message including the destination network 
address information and the corresponding gateway identifier; and 

transmitting the notification message including the destination 
network address information and the corresponding gateway identifier to a 
second node of the physical network enabling the second node to 
establish a virtual network connection between the second node and the 
first node on which to forward data messages to the at least one host 
computer based on the corresponding gateway identifier. 

12. (Previously Presented) A computer system as in claim 1 1 that, when generating 
a notification message and respectively transmitting a notification message, 
further performs operations of: 

generating at least a portion of the notification message in accordance 
with a distribution protocol utilized by service providers to disseminate routing 
policy information to customer edge nodes; and 

transmitting the destination network address information and the 
corresponding gateway identifier as an appendix to the notification message. 

13. (Original) A computer system as in claim 12, wherein the distribution protocol is 
based at least in part on an interautonomous system routing protocol and the 
virtual network connection between the second node and the first node is a 
virtual private network connection overlaid on the physical network, one end of 
the virtual private network connection terminating at the gateway identified by the 
corresponding gateway identifier. 

14. (Previously Presented) A computer system as in claim 1 1 that further performs 
an operation of: 
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transmitting routing policy attribute information in addition to the 
destination network address information and corresponding gateway identifier to 
the second node to more particularly define a policy for routing the data 
messages on a corresponding virtual network connection through the gateway to 
the at least one host computer. 

1 5. (Original) A computer system as in claim 1 1 , wherein the first and the second 
nodes are part of a network that does not inherently support encryption services 
and configuration data at the second node at least partially supports encryption 
of data messages forwarded to at least one host computer through the gateway 
identified by the corresponding gateway identifier. 

16. (Original) A computer system as in claim 1 1 that, when transmitting the network 
address and identifier, further performs operations of : 

delivering the notification message including the network address and 
corresponding gateway identifier to multiple customer edge nodes of the physical 
network, each customer edge node updating its corresponding configuration data 
for establishing private networks between the customer edge nodes based on the 
network address and corresponding gateway identifier. 

17. (Original) A computer system as in claim 11, wherein the first and second nodes 
are customer edge nodes in a network configured according to Request For 
Comment 2547 and the network supports virtual private networks terminating at 
the customer edge nodes. 

1 8. (Previously Presented) A computer system as in claim 1 1 , wherein the 
destination network address information identifies a single host computer 
configured to receive data messages transmitted over the virtual network 
connection and through the first node from the second node. 
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19. (Currently Amended) A computer system as in claim 1 1 , wherein the destination 
network address information identifies a range of host computers that are part of 
a network coupled to the first node. 

20. (Original) A computer system as in claim 1 1 , wherein the corresponding gateway 
identifier is a network address of the at least one host computer. 

21. (Previously Presented) In a receiving node of a physical network supporting 
multiple virtual network connections, a method to dynamically modify 
configuration data associated with at least one of the multiple virtual network 
connections, the method comprising: 

receiving a notification message from a sending node of the physical 
network, the notification message including destination network address 
information and a corresponding gateway identifier of a gateway of the physical 
network; 

based on contents of the notification message, modifying a map at the 
receiving node to include the destination network address information, the 
corresponding gateway identifier, and configuration data identifying at least part 
of a virtual network connection between the receiving node and the sending node 
on which to forward data messages through the gateway to a destination node as 
specified by the destination network address information; and 

upon forwarding data messages through the receiving node, utilizing the 
map to identify on which virtual network to forward the data messages from the 
receiving node through the gateway to the destination node based on the 
destination network address information associated with the destination node to 
which the data messages are directed. 

22. (Canceled) 

23. (Previously Presented) A method as in claim 21 further comprising: 
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at the receiving node including the map, receiving a data message to be 
forwarded based on a corresponding destination address; 

comparing the destination address and a source address of the data 
message to destination network address information stored in the map; 

identifying, based on the destination address, how to transmit the data 
message to the destination node based on a corresponding virtual network 
connection specified in the map. 

24. (Previously Presented) A method as in claim 23 further comprising: 

in response to identifying that the destination address of the data message 
matches destination network address information in the map, establishing the 
corresponding virtual network connection specified in the map on which to 
transmit the data message to the destination node. 

25. (Original) A method as in claim 24, wherein establishing a virtual network 
connection includes establishing a virtual private network connection between 
the receiving node and sending node based on IKE (Internet Key Exchange) 
protocol and Ipsec (Internet Protocol Security). 

26. (Previously Presented) A method as in claim 23 further comprising: 

in response to identifying that the destination address of the data message 
matches destination network address information in the map, identifying whether 
a corresponding virtual network connection specified in the map has been 
established and, if so, transmitting the data message on the established virtual 

■ 

network connection to the destination node. 

27. (Previously Presented) A method as in claim 21, wherein the destination network 
address information identifies a single host computer. 
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28. (Previously Presented) A method as in claim 21 , wherein the destination network 
address information identifies a range of host computers that are part of a 
network coupled to the first node. 

29. (Original) A method as in claim 21 , wherein the corresponding gateway identifier 
is an IPsec identity associated with the at least one host computer. 

30. (Original) A method as in claim 21 , wherein the gateway is located in the 

* 

sending node. 

31 . (Previously Presented) A computer system at a receiving node of a physical 
network that at least partially supports a virtual network connection, the computer 
system comprising: 

a processor; 

a memory unit that stores instructions associated with an application 
executed by the processor; 

a communication interface that supports communication with other nodes 
of the physical network; and 

an interconnect coupling the processor, the memory unit, and the 
communication interface, enabling the computer system to execute the 
application and perform operations of: 

receiving a notification message from a sending node of the 

physical network, the notification message including destination network 

> ■ 

address information of a destination node and a corresponding gateway 
identifier of a gateway of the physical network; 

based on contents of the notification message, modifying a map at 
the receiving node to include the destination network address information, 
the corresponding gateway identifier, and configuration data identifying at 
least part of a virtual network connection between the receiving node and 
the sending node on which to forward data messages through the 
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gateway to the destination node as specified by the destination network 
address information; and 

utilizing the map to identify on which of multiple virtual network 
connections to forward the data messages from the receiving node 
through the gateway to the destination node based on the destination 
network address information associated with the destination node to which 
the data messages are directed to support forwarding of data messages 
through the receiving node. 

32. (Canceled) 

33. (Previously Presented) A computer system as in claim 31 that further performs 
operations of : 

at the receiving node including the map, receiving a data message to be 
forwarded based on a corresponding destination address; 

comparing the destination address and a source address of the data 
message to destination network address information stored in the map; 

identifying, based on the destination address, how to transmit the data 
message to the destination node based on a corresponding virtual network 
connection specified in the map. 

34. (Previously Presented) A computer system as in claim 33 that further performs 
operations of: 

in response to identifying that the destination address of the data message 
matches destination network address information in the map, establishing the 
corresponding virtual network connection specified in the map on which to 
transmit the data message to the destination node. 

35. (Original) A computer system as in claim 34, wherein establishing a virtual 
network connection includes establishing a virtual private network connection 
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between the receiving node and sending node based on IKE (Internet Key 
Exchange) protocol and Ipsec (Internet Protocol Security). 

36. (Previously Presented) A computer system as in claim 33 that further performs 
operations of: 

in response to identifying that the destination address of the data message 
matches destination network address information in the map, identifying whether 
a corresponding virtual network connection specified in the map has been 
established and, if so, transmitting the data message on the established virtual 
network connection to the destination node. 

37. (Previously Presented) A computer system as in claim 31 , wherein the 
destination network address information identifies a single host computer. 

38. (Previously Presented) A computer system as in claim 31 , wherein the 
destination network address information identifies a range of host computers that 
are part of a network coupled to the first node. 

39. (Original) A computer system as in claim 31 , wherein the corresponding gateway 
identifier is a network address of the at least one host computer. 

40. (Original) A computer system as in claim 31, wherein the gateway is located in 
the sending node. 

41 . (Previously Presented) A computer program product including a computer- 
readable medium having instructions stored thereon for processing data 
information, such that the instructions, when carried out by a processing device, 
enable the processing device to perform the steps of: 
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receiving i) destination network address information associated with at 
least one host computer, and ii) a corresponding gateway identifier of a gateway 
in the physical network; 

generating a notification message including the destination network 
address information and the corresponding gateway identifier; and 

transmitting the notification message to a second node of the physical 
network enabling the second node to establish a virtual network connection 
between the second node and the first node on which to forward data messages 

to the at least one host computer based on a mapping association, at the second 

<*\ 

node, between the destination network address information and the 
corresponding gateway identifier. 

42. (Canceled) 

43. (Previously Presented) A computer program product including a computer- 
readable medium having instructions stored thereon for processing data 
information, such that the instructions, when carried out by a processing device, 
enable the processing device to perform the steps of: 

receiving a notification message from a sending node of the physical 
network, the notification message including destination network address 
information and a corresponding gateway identifier of a gateway of the physical 
network; 

based on contents of the notification message, modifying a map at the 
receiving node to include the destination network address information, the 

« 

corresponding gateway identifier, and configuration data identifying at least part 
of a virtual network connection between the receiving node and the sending node 
on which to forward data messages through the gateway to a destination node as 
specified by the destination network address information; and 

utilizing the map to identify on which virtual network to forward the data 
messages through the gateway to the destination node based on the destination 
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network address information associated with the destination node to which the 
data messages are directed to support forwarding of data messages through the 
receiving node. 

44. (Previously Presented) A computer system at a receiving node of a physical 
network that at least partially supports a virtual network connection, the computer 
system comprising: 

means for receiving a notification message from a sending node of the 

r 

physical network, the notification message including destination network address 
information and a corresponding gateway identifier of a gateway of the physical 
network; and 

means for modifying a map at the receiving node to include the destination 
network address information, the corresponding gateway identifier, and 
configuration data identifying at least part of a virtual network connection 
between the receiving node and the sending node on which to forward data 
messages through the gateway to a destination node as specified by the 
destination network address information; and 

means for utilizing the map to identify on which virtual network to forward 
the data messages from the receiving node through the gateway to the 
destination node based on the destination network address information 
associated with the destination node to which the data messages are directed to 
support forwarding of data messages through the receiving node. 

45. (Previously Presented) In a physical network supporting virtual private network 
connections terminating at customer edge routers coupled to a service provider 
network, a method comprising: 

at a first customer edge router: 

receiving a range of destination network addresses associated with 
host computers coupled to the first customer edge router; 
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in addition to receiving the range of destination network addresses, 
receiving a security gateway identifier associated with a second customer edge 
router of the service provider network; 

generating and transmitting a notification message including the range of 
destination network addresses and the security gateway identifier to the second 
customer edge router; and 

at the second customer edge router: 

receiving the notification message; 

based on contents of the notification message, generating a map to 
include the range of destination network addresses and a corresponding 
virtual private network connection between the second customer edge 
router and first customer edge router; and 

prior to forwarding data messages through the second customer 
edge router to a computer having a destination network address in the 
range of destination network addresses, utilizing the map to identify on 
which virtual private network to forward the data messages. 

46. (Previously Presented) A method as in claim 1 further comprising: 

generating a map at the second node based on the destination network 
address information and the corresponding gateway identifier of the gateway for 
routing of messages destined for the at least one host computer via the gateway 
identifier, the second node supporting forwarding of the messages to the at least 
one host computer through the gateway as specified by the corresponding 
gateway identifier. 

47. (Previously Presented) A method as in claim 2, wherein transmitting the 
notification message to the second node includes: 

transmitting the notification message from a first customer edge node 
through a path including a service provider network to a second customer edge 
node, the second customer edge node configured to utilize the destination 
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network address information and the corresponding gateway identifier to create a 
map specifying the gateway in the physical network as specified by the 
corresponding gateway identifier on which to forward messages from the second 
customer edge node through the service provider network to the first customer 
edge node to the at least one host computer. 

48. (Previously Presented) A method as in claim 47, wherein transmitting the 
notification message from the first customer edge node through the path 
including the service provider network to the second customer edge node 
includes: 

transmitting the notification message to a first service provider edge router 
in the service provider network, the first service provider edge router configured 
to distribute the notification message to multiple other service provider edge 
routers in the service provider network. 

49. (Currently Amended) A method as in claim 48, wherein each of the multiple other 
service provider edge routers in the service provider network is configured to 
identify which virtual private network the corresponding gateway identifier is 
associated with for purposes of advertising the destination network address 
information and the corresponding gateway identifier to appropriate customer 
edge nodes, a given provider edge router of the other service provider edge 
routers configured to receive the notification message from the first service 
provider edge router and forward the destination network address information 
and the corresponding gateway identifier to the second customer edge router. 

50. (Previously Presented) A method as in claim 49, wherein the given service 
provider edge router is configured to determine a virtual private network to which 
the notification message pertains based on use of a route target extended 
community attribute. 
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51 . (Previously Presented) A method as in claim 47 further comprising: 

maintaining at least one encryption key in the map to enable the second 
customer edge node to identify how to encrypt information transmitted to the at 
least one host computer. 

52. (Previously Presented) A computer system as in claim 31 , wherein the virtual 
network connection between the receiving node and sending node is a first 
virtual network connection of the multiple virtual network connections on which to 
forward data from the receiving node through the sending node to the destination 
node; 

wherein the destination node is a first destination host computer of 
multiple destination host computers to which the sending node serves as a pass- 
through node for forwarding data received from the receiving node; 

wherein the notification message is a first notification message; and 
wherein the corresponding gateway identifier is a first gateway identifier. 

53. (Previously Presented) A computer system as in claim 52 further supporting 
operations of: 

receiving a second notification message from the sending node of the 
physical network, the second notification message including destination network 
address information of a second destination node and a second gateway 
identifier of a second gateway of the physical network, the second destination 
node being a second destination host computer of the multiple destination host 
computers; 

based on contents of the second notification message, modifying the map 
at the receiving node to include the second destination network address 
information, the second gateway identifier, and configuration data identifying at 
least part of a second virtual network connection between the receiving node and 
the sending node on which to forward data messages through the second 
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gateway to the second destination node as specified by the second destination 
network address information; and 

utilizing the map to select the second virtual network connection of the 
multiple virtual networks to forward a given received data message from the 
receiving node through the gateway to the second destination node based on 
identifying that the given received data message includes a destination network 
address equivalent to the second destination network address information in the 
map. 

54. (Previously Presented) A computer system as in claim 53, wherein the receiving 
node is a first customer edge router and the sending node is a second customer 
edge router in a service provider network; and wherein the first destination host 
computer and the second destination host computer reside external to the 
service provider network. 

55. (Previously Presented) A method as in claim 21 further comprising: 

based on receiving multiple notification messages from the sending node: 

maintaining the map at the receiving node to include destination 
network address information for a first destination host computer and a 
first corresponding virtual network connection on which to forward data 
destined for the first destination host computer through the sending node 
to the first destination host computer; and 

maintaining the map at the receiving node to include destination 
network address information for a second destination host computer and a 
second corresponding virtual network connection on which to forward data 
destined for the second destination host computer through the sending 
node to the second destination host computer. 

56. (Currently Amended) A method as in claim [[54]] 55 further comprising: 



i 
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receiving first data at the receiving node, the first data having a 
destination network address specifying the first destination host computer as a 
respective recipient to which the first data is directed; 

utilizing the map to identify the first corresponding virtual network 
connection as a path on which to forward the first data to the first destination host 
computer from the receiving node over the first virtual network connection to the 
sending node for further transmission of the first data from the sending node to 
the first destination host computer; 

receiving second data at the receiving node, the second data having a 
destination network address specifying the second destination host computer as 
a respective recipient to which the second data is directed; and 

utilizing the map to identify the second corresponding virtual network 
connection as a path on which to forward the second data to the second 
destination host computer from the receiving node over the second virtual 
network connection to the sending node for further transmission of the second 
data from the sending node to the second destination host computer. 

57. (Previously Presented) A method as in as in claim 56, wherein the receiving 

node is a first customer edge router and the sending node is a second customer 
edge router of a service provider network; and 

wherein the first destination host computer and the second destination 
host computer reside external to the service provider network. 




